InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Collection firm to pay $100,000 for operating without a license
On December 1, the Connecticut Department of Banking (Department) fined a collection law firm $100,000 and ordered it to cease and desist from collection activity for operating without a valid license. According to the order, in August, the Department issued a temporary order to cease and desist, a notice of intent to issue order to cease and desist, a notice of intent to impose a civil penalty, and a notice of a right to a hearing, which provided the firm 14 days to respond to request a hearing. Furthermore, the firm was warned that if a request for hearing was not made, a cease and desist order would likely be forthcoming. During its investigation, the state discovered that in 2019, the firm was conducting unlicensed collection agency activity for about 10,000 Connecticut accounts with a total balance of about $1.4 million. The firm allegedly collected approximately $81,000 of that amount. In late 2019, the state sent the firm a certified letter regarding its collection activity and asked for a response, which was never provided. In the August order, the firm was asked to supply the state with a list of all the creditors with whom the firm has entered into agreements for consumer collection services since July 2018, including copies of all the agreements with those creditors, and an itemized list of each Connecticut debtor account that the firm had attempted collections on for the same time period.
DFPI issues reminder to debt collection licensing applicants
Recently, the California Department of Financial Protection and Innovation (DFPI) issued a reminder that starting January 1, 2023, the agency will begin approving applications under the Debt Collection Licensing Act. As previously covered by InfoBytes, the California governor signed AB 156 in September to allow any debt collector that submits an application to the DFPI commissioner by January 1, 2023, to operate pending the approval or denial of the application. DFPI reminded applicants that background checks will be performed at a later date. The period for individuals to provide fingerprints upon request from DFPI is extended from 60 to 90 days. Written notification will be sent to applicants through the Nationwide Multi-State Licensing System 90 days prior to fingerprinting being due. Additionally, DFPI stated that due to the delay in the application process, final approvals may be delayed. Further announcements will be issued in the coming weeks concerning conditional approvals, DFPI said, noting that it will provide at least 30 days' notice before implementing any changes to existing processes.
SEC accuses defendants of engaging in $6 million fraudulent offering scheme
On December 7, the SEC filed a complaint against a venture capital firm and its co-founder and CEO (collectively, “defendants”) for allegedly making fraudulent offers and sales of purported shares of sought-after pre-IPO companies. According to the SEC, the defendants did not own the shares at the time of the solicitations and never acquired them. Instead of purchasing the securities, the SEC alleged that the CEO used the investor funds for personal use and created fraudulent documentation and statements to deceive investors. The SEC also alleged that the CEO’s other co-founder “performed important tasks with respect to the company including opening business bank accounts, completing paperwork necessary to form the business, and other administrative tasks,” and encountered, but failed, to act upon sufficient red flags regarding the company’s operations. The SEC’s complaint alleged violations of antifraud provisions of the federal securities laws and is seeking permanent injunctive relief, disgorgement plus prejudgment interest, and civil penalties against the defendants.
SEC issues guidance for disclosing crypto-asset risks
Recently, the SEC's Division of Corporation Finance issued guidance accompanied by a illustrative letter containing sample comments that the Division may issue to companies following the recent “widespread disruption” in the crypto asset markets. The Division said it “believes that companies should evaluate their disclosures with a view towards providing investors with specific, tailored disclosure about market events and conditions, the company’s situation in relation to those events and conditions, and the potential impact on investors.” Companies with ongoing reporting obligations “should consider whether their existing disclosures should be updated.”
The sample comments, which are not exhaustive, are designed to help companies meet their disclosure obligations by “consider[ing] the need to address crypto asset market developments in their filings generally, including in their business descriptions, risk factors, and management’s discussion and analysis.” The Division urged companies to “take these sample comments into consideration” as they prepare disclosure documents that may not typically be subject to review by the Division before their use, such as automatically effective registration statements and prospectus supplements for takedowns from existing shelf registration statements.
The sample comments “focus on the need for clear disclosure about the material impacts of crypto asset market developments, which may include a company’s exposure to counterparties and other market participants; risks related to a company’s liquidity and ability to obtain financing; and risks related to legal proceedings, investigations, or regulatory impacts in the crypto asset markets.”
OFAC sanctions Zimbabwean persons
On December 12, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13469 against four Zimbabwean individuals, including the son of the President of Zimbabwe, and two Zimbabwean entities connected to a previously designated individual and his company that were sanctioned for materially assisting, sponsoring, or providing financial, material, logistical, or technical support for the Government of Zimbabwe. As a result of the sanctions, all property and interests in property belonging to the sanctioned persons that are in the U.S. or in the possession or control of U.S. persons, and “any entities that are owned, directly or indirectly, 50 percent or more in the aggregate by one or more of such persons are also blocked.” Additionally, U.S. persons are prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons, unless exempt or authorized by a general or specific OFAC license.
OFAC also removed seventeen Zimbabweans from the Specially Designated Nationals and Blocked Persons List after determining that they “no longer undermine Zimbabwe’s democratic processes and institutions or meet any of the other criteria for designation under OFAC’s Zimbabwe sanctions program.”
FinCEN further extends FBAR filing deadline for certain individuals
On December 9, the Financial Crimes Enforcement Network (FinCEN) issued Notice 2022-1 to further extend the time for certain Report of Foreign Bank and Financial Accounts (FBAR) filings in light of the agency’s March 2016 notice of proposed rulemaking, which proposed to revise the Bank Secrecy Act’s implementing regulations regarding FBARs. (See previous InfoBytes coverage on the 2016 NPR here.) Specifically, one of the proposed amendments seeks to “expand and clarify the exemptions for certain U.S. persons with signature or other authority over foreign financial accounts,” but with no financial interest, as outlined in FinCEN Notice 2021-1 issued December 9, 2021. FinCEN noted that because the proposal has not been finalized, it is further extending the filing due date to April 15, 2024, for individuals who previously qualified for a filing due date extension under Notice 2021-1. All other individuals must submit FBAR filings by April 15, 2023.
G7 Cyber Expert Group releases reports on ransomware and third-party risk
On December 8, the G7 Cyber Expert Group (CEG) – co-chaired by the Bank of England and the U.S. Treasury Department’s Office of Cybersecurity and Critical Infrastructure – released two reports addressing ransomware and third-party risk in the financial sector. According to the announcement, the reports “are intended to help financial sector entities better understand cybersecurity topics as agreed upon by a multilateral consensus.”
The Fundamental Elements of Ransomware Resilience for the Financial Sector provides financial entities with high-level building blocks for addressing ransomware threats. The “non-prescriptive and non-binding” report is meant to guide public and private financial institutions for their own internal ransomware mitigation activities and “provide[s] an overview of the current policy approaches, industry guidance, and best practices in place throughout the G7.”
The Fundamental Elements of Third-Party Risk Management for the Financial Sector updates a previous version published in 2018. According to the announcement, the updated report was necessary due to the increase in use of service providers by financial institutions in their central operational functions and subsequent vulnerabilities as a result of such reliance. The update includes explicit recommendations for monitoring risks along the supply chain and identifying systemically important third-party providers and concentration risks.
District Court stays action against remittance provider while Supreme Court weighs CFPB’s funding structure
On December 9, the U.S. District Court for the Southern District of New York stayed an action brought by the CFPB and the New York attorney general against a defendant remittance provider until after the U.S. Supreme Court decides if it will review whether the U.S. Court of Appeals for the Fifth Circuit erred in holding that the Bureau’s funding structure violates the Appropriations Clause of the Constitution. Last month the DOJ, on behalf of the CFPB, submitted a petition for a writ of certiorari seeking Supreme Court review of the 5th Circuit’s decision during its current term. (Covered by InfoBytes here.) The New York AG and the Bureau sued the defendant in April for allegedly violating the EFTA and its implementing Regulation E, the Remittance Rule, and the Consumer Financial Protection Act (CFPA), among various consumer financial protection laws, in its handling of remittance transfers. (Covered by InfoBytes here.)
The defendant argued that the district court should hold off on deciding on its motion to dismiss per the aforementioned argument, but should nonetheless rule on its pending motion to transfer. The Bureau opposed the defendant’s request for a stay, countering “that a stay would not promote efficiency” since the issue of the Bureau’s standing would not affect the claims brought in the current action. The Bureau further asserted “that the public and the parties’ interest weighs against a stay, as it would hinder Plaintiffs’ enforcement of the consumer protection laws and make obtaining evidence down the line more difficult.”
The district court disagreed, stating that the Supreme Court may address the broader issue of the Bureau’s standing to bring enforcement actions in its decision, and that, regardless, the agency’s claims in the current action “are inextricably linked to CFPB rules and regulations, which themselves may be implicated by a Supreme Court decision should it grant the petition.” The district court stayed the case in its entirety and said that it will wait to decide on both motions until after the Supreme Court decides on the Bureau’s filed petition for a writ of certiorari.
Parties reach agreement to resolve data scraping allegations
On December 8, the U.S. District Court for the Northern District of California issued a consent judgment and permanent injunction against a now-defunct plaintiff data analytics company in an action concerning whether the plaintiff breached a user agreement with a defendant professional networking site by using an automated process to extract user data (a process known as “scraping”) for the purposes of selling its analytics services to businesses. The case was sent back to the district court earlier this year by the U.S. Court of Appeals for the Ninth Circuit (on remand from the U.S. Supreme Court) after the appellate court affirmed the district court’s order preliminarily enjoining the defendant from denying the plaintiff access to publicly available member profiles. (Covered by Infobytes here.)
As previously covered by InfoBytes, last month the district court ruled that the plaintiff breached its user agreement by creating fake accounts and copying url data as part of its scraping process. Nonetheless, at the time, the district court noted that there remained a legitimate dispute over whether the defendant waived its right to enforce the user agreement after the plaintiff openly discussed its business model, including its reliance on scraping, at conferences it organized that were attended by defendant’s executives. The district court further questioned when the defendant became aware of the plaintiff’s scaping, whether it should have taken “steps to legally enforce against known scraping” sooner, and whether the defendant can raise certain defenses to its breach of contract claim tied to the plaintiff’s data scraping and unauthorized use of data.
On December 6, the parties separately reached an agreement to resolve all outstanding claims in the case. The final consent judgment enters a $500,000 judgment against the plaintiff and waives all other monetary relief. Additionally, the plaintiff is permanently enjoined from scraping or accessing the defendant’s platform without express written permission, whether directly or indirectly through a third party or whether logged in to an account or not. The plaintiff is also prohibited from developing, using, selling, or distributing any software or code for data collection from the defendant’s platform. The plaintiff must also delete all software code in its possession that is designed to access the defendant’s platform, must delete all member profile data in its possession (including data stored with a third party), and is barred from “using, distributing, selling, analyzing, or otherwise accessing any data” collected without the defendant’s express permission, whether directly or indirectly through a third party, among other requirements.
District Court says sellers may be vicariously liable for third-party TCPA violations
On December 5, the U.S. District Court for the Western District of Washington denied an online retail pharmacy’s (defendant) motion for summary judgment in a TCPA suit. According to the order, the defendant engaged with a third party to call potential customers and transfer leads who were interested in the defendant’s services to its inbound call center. The order further noted that the third party contracted with another company to generate leads. Like the third party, the company did not make any calls but contracted with one or more vendors to place calls. The plaintiff received two calls from a prerecorded message that introduced itself as a person with the company. After asking the plaintiff if anyone in the household used prescription medications, among other things, he was transferred to an employee of the defendant who identified the defendant company by name and tried to sell the plaintiff their services. The plaintiff sued the defendant, arguing that it was “vicariously liable” for calls he received from a telemarketer that transferred the calls to the defendant’s sales representative. The defendant argued it was not directly liable under the TCPA because it did not directly place the calls to the plaintiff. The defendant also said it was not vicariously liable for calls placed by vendors because those vendors did not have express or implied actual authority to place calls for the defendant.
According to the district court, courts may hold sellers such as the defendant vicariously liable for TCPA violations of third-party callers “where the plaintiff establishes an agency relationship, as defined by federal common law, between the defendant and the third-party caller.” The court further wrote that labeling the contracted company “an independent contractor in the agreement with [the defendant] does not foreclose a finding that an agency relationship existed.” The district court also noted that there was a “genuine issue” of material fact as to whether the defendant had an agency relationship with the contracted company’s vendor.